On Monday, September 11, Apple and Google released security updates to address major flaws. The patched vulnerabilities are apparently ones that the NSO Group’s Pegasus spyware may have actively exploited in the wild. On September 12, Mozilla released a corresponding security update for Firefox.
The patches that Apple released on Monday are as follows:
For all of these, Apple patched the same ImageIO flaw (CVE-2023-41064) that it had fixed in macOS Ventura, iOS 16, and iPadOS 16 last Thursday, September 7.
Notably, last week Apple also patched a Wallet vulnerability (CVE-2023-41061) for iOS 16, iPadOS 16, and watchOS 9. For whatever reason, Apple did not address this flaw for iOS 15, iPadOS 15, and watchOS 8 today.
Apple patches 2 actively exploited vulns in macOS Ventura, iOS 16, watchOS 9
Also on Monday, Google released a security updated for its popular Chrome browser. Google Chrome version 116.0.5845.187 addresses CVE-2023-4863, a heap buffer overflow in WebP. Apple and The Citizen Lab reported it to Google on September 6.
Google said that it “is aware that an exploit for CVE-2023-4863 exists in the wild.”
The Pegasus spyware likely leveraged this vulnerability as well, given who reported it and when.
As of Monday evening, updates did not appear to be available to address CVE-2023-4863 for other Chromium-based browsers. The most popular of these are Microsoft Edge, Brave, Vivaldi, and Opera. Be sure to check for updates for these browsers in the coming days and weeks.
You’ll also want to check for updates to apps that leverage the Electron framework or the Chromium Embedded Framework over the coming weeks. Such apps, if they remain unpatched, can put you at risk.
Update: On Tuesday, September 12, Mozilla released updates for Firefox (and Thunderbird, Mozilla’s e-mail app) to address the same vulnerability as Chrome. Interestingly, Mozilla used the same CVE number. This seems to imply that the vulnerability can be exploited in Firefox in the same way as Chromium-based browsers.
To ensure the patch is applied, verify that you’re running one of the following versions, or later: Firefox 17.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 115.2.2, or Thunderbird 102.15.1.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:
Image credits: iPhone by Rafael Fernandez (CC BY-SA 4.0); Pegasus by Nicolas Raymond (CC BY 2.0); composition by Joshua Long, Intego (CC BY-SA 4.0).